HHVM Fatal error with hash_equals() on WordPress 3.9.2

[kinstahosting]

The hash_equals() function introduced in r29382 causes lots of fatal errors with HHVM 3.2. It usually happens with custom themes and/or plugins, log says:

\nFatal error: Argument 2 passed to hash_equals() must be an instance of string, null given in /var/www/xyz.com/wp-includes/pluggable.php on line 1662

PHP fails but only issues a warning in these cases, HHVM on the other hand dies.

Is there something we can do about this, or should I pursue a request for the HHVM team to change it from fatal error to a warning too?

[ocean90]

The error comes from wp_verify_nonce(), see tags/3.9.2/src/wp-includes/pluggable.php#L1662​, where $nonce seems to be null.

Before [29384] $nonce was used inside the condition and is now passed to hash_equals(). I think we should bail earlier, when $nonce is empty, see 29217.patch​.

[nacin]

In 29620:

Require a non-empty $nonce value in wp_verify_nonce().

props ocean90.
fixes #29217.

[nacin]

[29620] specifically adds a unit test that would fatal in HHVM without the patch.

I imagine this would happen pretty commonly when wp_verify_nonce() is passed something from GPC that isn't set.